18.2.1 Replacing oamreg Scripts with Remote Registration Home

IM_ORACLE_HOME/oam/server/rreg/bin contains the scripts (oamreg.bat and oamreg.sh) for performing remote registration. Prior to execution, the scripts need to be edited to point the attribute OAM_REG_HOME to the absolute file location for RREG HOME.

RREG_HOME will be one directory above where the scripts exist.

For example,

If IM_ORACLE_HOME in a particular Linux environment is:

MW_HOME/Oracle_IDM

The entry for the attribute OAM_REG_HOME in oamreg.sh will be:

export OAM_REG_HOME=MW_HOME/Oracle_IDM/oam/server/rreg

18.2.2 Incorrect SSO Agent Date/Time Shown to User

The default start date on the Create OAM Agent page is based on the Oracle Access Manager server date/time. The date/time shown to the end user is based on the Oracle Access Manager server time zone rather than on the user's machine.

Out of the box, execute permissions are not set for the oamreg.sh and oamreg.bat files in the Oracle Access Manager install location. Before you perform remote registration (rreg), you need to set the execute permissions on the scripts by using the following commands:

chmod +x oamreg.sh OR chmod +x oamreg.bat

Then, you can proceed with the regular remote registration steps.

18.2.4 Initial Messages After Webgate Registration Are Not Shown in the User's Locale

After Webgate registration, the description fields in the initial messages for related components are not shown in the user's locale.

The description field does not support Multilingual Support (MLS).

18.2.5 Error While Browsing Resources Table in the Resource Type Tab

While browsing across the Resources table in the Resource Type tab, the following error message is displayed:

In some cases if a user has Turkish, German, or Greek special characters in the user name and the login name only differs in the special characters, he might pass authentication because of case mappings and case-insensitivity.

Some internationalization characters should have special capitalization rule so that characters do not convert back to the lower case.

For example, there is the case with SS and ß in German, where ß only exists as a lower case character. When performing "to Upper" against ß, ß will be changed to SS. And if the upper case text is then converted back to lower case, the SS becomes ss and not the original ß.

18.2.9 Oracle Access Manager Authentication Does Not Support Non-ASCII Passwords on Locales Other than UTF8

When the server locale is not UTF-8 and using WebLogic Server embedded LDAP as an identity store, the SSO Authentication page does not support Non-ASCII passwords.

18.2.10 Error Message of Create Agent Shows as Server Locale

When an administrator creates an agent with the same name as one that already exists, the language of the error message displayed is based on the server locale rather than on the browser locale.

18.2.11 Referrals in LDAP Searches

18.2.12 Diagnostic Information Is Not Being Displayed on the Administration Console

Diagnostic information is not displayed in the Oracle Access Manager Console for monitoring Agents when one or more nodes of the cluster are down.

This information can be retrieved using the Oracle Dynamic Monitoring Service (DMS). The steps are as follows:

Using WebLogic credentials, log in to the DMS application

http://<adminserver-host>:<adminserver-port>/dms

On the navigation tree, click OAMS.OAM_Server.OAM_Agents under the DMS Metrics node.

18.2.13 Non-ASCII Resources Require OHS To Restart To Make Protection Take Effect

When you add a resource with a non-ASCII name to the protected authentication policy, it will require the 11g OHS Server to restart to make the protection take effect, whereas in adding resources with English characters, protection takes effect in real time without having to restarting the OHS Server.

If an on success or on failure URL configured for an authentication policy contains non-ASCII characters in the URL specified, then the URL specified will be garbled when it is used during a user authentication. This will happen only when the authentication scheme is Basic Authentication and the end user's browser is the Simplified Chinese version of IE8 running on the Chinese version of Windows.

18.2.15 Resource with Non-ASCII Characters Cannot Be Protected by an OSSO Agent

The OSSO Agent cannot protect a resource because it does not encode the entire resource URL to UTF-8 format.

To work around this issue, use the Webgate Agent instead of the SSO Agent.

Webgate is able to convert the entire resource URL to UTF-8 format.

18.2.16 Error in Administration Server Log from Console Logins

If you log in to the Oracle Access Manager Console as an administrator and then log in to the Console as an administrator in a new browser tab, the following error appears in the administration logs:

18.2.17 Translation Packages Use the Term, Agents, Instead of WebGates

The term Agents has been changed to WebGates.

The issue is that because of this late change, the translation packages are not updated and will continue to use the term, Agents, instead of the preferred term, WebGates.

18.2.18 Application Domain Subtree in the Navigation Tree Is Not Rendered and Does Not Respond to User Actions

If the Application Domain subtree on the navigation tree does not render or respond to user interface actions over a period of time, it may be the result of multiple refreshes.

To work around these issues, restart the administration server and log in to the Oracle Access Manager Console again.

18.2.19 Error in the "Evaluate Single Sign-On Requirements" Help Topic

In the help topic, "Evaluate Single Sign-On Requirements," "Configuring Single Logout for 10g Webgate with OAM 11g Servers" was listed twice under "Review steps to configure single sign-off."

The English version has been corrected to read:

"Step 7 Review steps to configure single sign-off

Configuring Single Logout for 10g Webgate with OAM 11g Servers. More.

Configuring Single Logout for 11g Webgate with OAM 11g Servers. More.

Configuring Single Logout for Oracle ADF Applications. More

The translated version will be fixed.

18.2.20 editWebgateAgent Command Does Not Give An Error If Invalid Value is Entered

The WLST command editWebgateAgent does not give an error when a invalid value is entered for the state field in both online and offline mode. The Oracle Access Manager Console does show the state field value as neither enabled nor disabled, though it is a mandatory field.

Location of the Keystore file. The file generated at the OIF Server. (mandatory)

logoutURL

The OIF Server's logout URL. <mandatory>

rolloverInterval

The Rollover Interval for the keys used to enc/decrypt SASSO Tokens (optional)

Example

The following invocation illustrates use of all parameters.
registerOIFDAPPartner(keystoreLocation="/scratch/keystore",
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>:
<oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")

18.2.24 User Must Click Continue to Advance in Authentication Flow

In a native integration with Oracle Adaptive Access Manager, the resource is protected by an Oracle Access Manager policy that uses the Basic Oracle Adaptive Access Manager authentication scheme.

When a user tries to access a resource, he is presented with the username page.

After he enters his username, he must click Continue before he can proceed to the password page. He is not taken to this page automatically.

The workaround is for the user to click Continue, which might allow him to proceed to the password page.

After performing rreg (through the console/rreg scripts), the user must click the Refresh button twice on the Policy Configuration tab for any policy-related changes to be visible.

18.2.26 OCSP-Related Fields are Not Mandatory

In the X509 authentication modules, the following OCSP-related fields are no longer mandatory:

OCSP Server Alias

OCSP Responder URL

OCSP Responder Timeout

If OCSP is enabled

The OCSP-related fields should be filled in by the administrator. If they are not filled, there will not be an error from the Console side.

It is the responsibility of the administrator to provide these values.

If OCSP is not enabled

The OCSP-related fields need not be filled in this case. If there are values for these fields, they will be of no consequence/significance, as OCSP itself is not enabled.

In the default out of the box configuration, the OCSP responder URL is http://ocspresponderhost:port. If you make changes to other fields and leave this as is, you will see a validation error, since this value is still submitted to the back end and at the Console, the layer port should be a numeric field. You can either modify the field, with the port being a numeric field or delete the entire value.

18.2.27 Database Node is Absent in the Console

Under the Data Sources node of the System Configuration tab, Common Configuration section, there is no Databases node in Oracle Access Manager 11g (11.1.1.5).

18.2.28 Online Help Provided Might Not Be Up To Date

Online help is available in the Oracle Access Manager Console, but you should check OTN to ensure you have the latest information.

18.2.29 Agent Key Password Should Be Mandatory for Both the Console and Remote Registration Tool in Cert Mode

Providing the Agent Key Password during registration should be mandatory for both the Oracle Access Manager Console and the Remote Registration tool. Currently it is mandatory for one and not the other.

When registering the 11g Webgate in cert mode through the remote registration tool, the Agent Key Password must be provided. If it is not, the password for cert mode cannot be null. Please enter the valid password message is shown.

The Agent Key Password is not mandatory when registering the 11g Webgate in cert mode through the Oracle Access Manager Console. The password.xml is generated regardless of whether the Agent Key Password is provided or not.

18.2.30 Oracle Access Manager Audit Report AUTHENTICATIONFROMIPBYUSER Throws a FROM Keyword Not Found Where Expected Error

The Oracle Access Manager audit report AuthenticationFromIPByUser uses an Oracle Database 11.2.0 feature and will not work with older versions of database. The following error is displayed if an older version is used:

ORA-00923: FROM keyword not found where expected

18.2.31 Disabled: Custom Resource Types Cannot be Created

For Oracle Access Manager 11g, creating custom resource types should not be attempted. In the initial release, the buttons to create/edit/delete resource types were available.

IAMSuiteAgent provides Single-Sign On for the IDM domain consoles including the Oracle Identity Manager, Oracle Adaptive Access Manager and other Identity Management servers created during domain creation. It excludes Single-Sign On protection for Fusion Middleware Control and the WebLogic Server Administration Console.

18.2.33 Use of a Non-ASCII Name for a Webgate Might Impact SSO Redirection Flows

When using the OAM Server with WebGates and when the Webgate ID is registered with a non-ASCII name, the OAM Server may reject that authentication redirect as an invalid request.

To work around this redirection issue, use an ASCII name for the Webgate.

Note:

Resources are protected and error messages do not occur when the administration server and oracle access servers are started on UTF-8 locales.

18.2.34 Authentication Module Lists Non-Primary Identity Stores

In the user interface under the Authentication Module, only the primary identity store should be selected in the list since only primary identity stores can be used for authentication/authorization. Currently, the Oracle Access Manager Console allows you to select identity stores that are not primary.

18.2.35 Unable to Stop and Start OAM Server Through Identity and Access Node in Fusion Middleware Control

The following Oracle Access Manager operations are not supported through using the oam_server node under Identity and Access in Fusion Middleware Control:

Start up

Shut down

View Log Messages

However, these operations are supported per the Oracle Access Manager managed server instance through using the oam_server node (for the specific server) under Application Deployments in Fusion Middleware Control.

Due to a bug, when accessing a protected resource (protected by 11g Webgate) with query parameters containing encoded URL strings, an error is displayed in browser:

Action failed. Please try again

18.2.37 Changing UserIdentityStore1 Type Can Lock Out Administrators

An Identity Store that is designated as the System Store should not be edited to change the store type (from Embedded LDAP to OID, for instance) nor the connection URLs.

If you do need to change the Identity Store that is designated as the System Store should not be edited to change the store type, Oracle recommends that you create a new Identity Store and then edit that registration to mark it as your System Store.

18.2.38 Page Layouts and Locales

The layout of the single sign-on (SSO) Login Page, Impersonation Consent page, Logout Page, Impersonation Error page, and Login Error Page do not change for Arabic and Hebrew locales.

18.2.39 Some Pages Are Not Correctly Localized

The date formats of "Creation Instant" and "Last Access Time" on the Session Management Search page are not correctly localized.

Due to a limitation with the Internet Explorer browser, resources with Non-ASCII query string when if you directly type or paste the resource URL.

18.2.41 Oracle Virtual Directory with SSL Enabled

With Oracle Virtual Directory as the user identity store, no errors are seen after changing its registration to use the SSL port, checking the SSL box, and testing the connection (Test Connection button). However, authentication fails (even though non-SSL port is fine). The first time Test Connection goes through and any subsequent time it results in Socket Timeout exception from the Oracle Virtual Directory side.

Workaround: Disable NIO for the SSL port as follows:

Stop Oracle Virtual Directory. For example:

$ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1

Edit the a LDAP SSL listener section of listener.os_xml to add <useNIO>false</useNIO>, as follows:

18.2.42 Query String Not Properly Encoded

There is no encoding on the query string from Webgate when % is not followed by a sequence of characters that form a valid URL escape sequence. In this case, Oracle Access Manager etains % as % in the decoded string and the following error occurs:

No message for The Access Server has returned a status that is unknown to the
Access Gate .Contact your website administrator to remedy this problem.

Workaround:

11g Webgate: To specify the '%' character in a query string, you must specify '%25' instead of '%'.

10g Webgate: The 11g Webgate workaround applies to only the anonymous scheme. For other authentication schemes, there is currently no workaround.

18.3 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

For mod-osso, the value for RedirectMethod should be POST, however, the values shipped out of the box is GET. Follow these steps to perform the modification, as this change needs to be performed manually and there is no user interface or WLST commands available to do so.

Verify that the oamproxy entries for SharedSecret and sslGlobalPassphrase is generated and available at:

DeployedComponent > Server > NGAMServer > Profile > oamproxy

SharedSecret should have a value different from 1234567812345678 and sslGlobalPassphrase different from changeit.

18.3.4 Auditing Does Not Capture the Information Related to Authentication Failures if a Resource is Protected Using Basic Authentication Scheme

Although a resource can be protected using the BASIC scheme, the WebLogic server has a feature by which it first authenticates the user and then sends it to the server.

If you add the following flag under <security-configuration> in config.xml and restart the server, you will be able to bypass WebLogic server's authentication <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>. Once the credentials are submitted back to the OAM Server, it will be audited.

The WebLogic Server Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. You must modify this value by setting this in config.xml.

18.3.5 Incompatible Msvcirt.dll Files

When you install the Oracle Access Manager 10g Webgate, do not replace the current version of msvcirt.dll with a newer version when prompted. If you do so, there may be incompatibility issues. Later, when you try to install OSSO 10g (10.1.4.3), the opmn.exe command might fail to start and the OracleCSService might time out because the required .dll file is missing.

18.3.7.2.4

Using the Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this OAM 11g Webgate.

Now return to the Browser1 where the server instance is opened in edit mode.

Click on the Apply button.

Current Behavior

The Oracle Access Manager Console for edit OAM11g Webgate does not change and the tab does not close.

A OAM11g Webgate configuration not found error dialog is displayed by the Oracle Access Manager Console.

However, the navigation tree is blank and attempts to perform any operation results in a javax.faces.model.NoRowAvailableException".

The behavior is incorrect.

18.3.7.2.5

OSSO Agent

Use Case: Concurrent Deletion and Update

Description

Open an OSSO Agent instance in edit mode in the Oracle Access Manager Console in Browser 1.

Using the Oracle Access Manager Console in another browser (Browser 2) or using a WLST script, delete this OSSO Agent.

Now return to the Browser 1 where the OSSO Agent instance is opened in edit mode.

Click on Apply button.

Current Behavior

Editing the OSSO Agent in the Oracle Access Manager Console results in a null pointer exception.

The behavior is incorrect.

18.3.8 Install Guides Do Not Include Centralized Logout Configuration Steps

Single-Sign On is enabled after Oracle Access Manager is installed; to complete configuration of Single-Sign On out of the box, centralized log out must be configured post-install. Configure centralized log out by following direction from these sections:

A NULL pointer exception occurs because of the configuration events trigger when the identity store shuts down. The upgrade is successful, however, and error messages are seen in administration server console. There is no loss of service.

If the NULL pointer is seen during upgrade, there is no loss of service, you can ignore the error.

If the NULL pointer is seen during WLST command execution, you must restart the administration server.

In general, the Sun Microsystems JDK 1.4.x compiler is the JDK version used with the Java interfaces of Access SDK Version 10.1.4.3.0.

As an exception, the Java interfaces of the 64-bit Access SDK Version 10.1.4.3.0, specifically for the Linux operating system platform, requires the use of Sun Microsystems JDK 1.5.x compiler.

The new Session Management Engine capability within Oracle Access Manager 11g will create a session for every Access SDK version 10.1.4.3.0 call for authentication.

This may cause issues for customers that use Access SDK to programmatically authenticate an automated process. The issue is the number of sessions in the system that is generated within Access SDK will increase dramatically and cause high memory consumption.

18.3.11 Finding and Deleting Sessions Using the Console

When session search criteria is generic (using just a wild card (*), for example), there is a limitation on deleting a session from a large list of sessions.

Oracle recommends that your session search criteria is fine-grained enough to obtain a relatively small set of results (ideally 20 or less).

18.4.1 No Warnings Given If Required Details are Omitted

On the Token Mapping page of a new Validation Template with the following characteristics:

WS-Security

Token Type SAML 1.1

Default Partner Profile: requester profile

No warnings are given:

If you check the box to Enable Attribute Based User Mapping if you leave empty the required User Attributes field

A new row is not saved if the User Attribute field is empty. However, it is saved if both fields are filled. Removing the value of the User Attribute field in a user-added row causes the row to be deleted when you Apply changes

If you attempt to delete built-in Name Identifier Mapping rows

Built-in Name Identifier Mapping rows cannot be deleted.

18.4.2 New Requester Pages, Internet Explorer v7, and Japanese Locale

When using the Japanese Locale with Internet Explorer v7, the title "New Requester" is not displayed in one line on the page. The Partner, Name, Partner Type, and Partner Profile fields might wrap on the page.

This can occur whether you are creating or modifying the Partner (Requester, Relying Party, and Issuing Authority).

18.4.3 Delete Button Not Disabled When Tables Have No Rows

The Delete button is enabled even though there are no rows to be deleted in the following tables:

18.4.4 Copying an Issuance Template Does Not Copy All Child Elements

Workaround: Navigate to the desired Issuance Template, click the name in the navigation tree and click the Copy Like button. Manually enter missing information from the original: Attribute Mappings or custom attribute tables.

18.4.5 Apply and Revert Buttons are Enabled

The Apply and Revert buttons are enabled on Oracle Security Token Service pages even if there are no changes to apply or saved changes to revert to the previous version.

18.4.6 Only Generic Fault Errors Written to Oracle WSM Agent Logs

No content is written logs for the Oracle WSM agent errors. There is only a generic fault error.

18.4.7 Server and Client Key Tab Files Must be the Same Version

An exception to authenticate the Kerberos token occurs if WebLogic 10.3.5 is configured with Sun JDK6 greater than u18.

When using the Kerberos token as an authentication token requesting the security token from Oracle Security Token Service:

The keytab file configured in the validation template should always be the latest version from the KDC server

The KVNO should always be the latest that is available on the server:

18.4.8 Default Partner Profile Required for WS-Security

The Oracle Access Manager Access Administration Guide states "When you toggle the Token Protocol from WS-Trust to WS-Security, options in the Token Type list do not change. However, the required "Default Partner Profile" list appears from which you must choose one profile for WS-Security."

Correction: When you toggle the Token Protocol from WS-Trust to WS-Security a required field "Default Partner Profile" will appear. You must choose a value for this field. If you again toggle back to WS-Trust without choosing a value for this field The options in the Token Type list are not updated correctly to have the WS-Trust Token Type values.

18.4.9 SAML Token Issued When NameID is Not Found

Rather than returning an error response, an assertion issued with an empty NameIdentifier field can be issued even when the NameIdentifier user attribute has a null or empty value. For example:

18.5.1 WNA Authentication Does Not Function on Windows 2008

If the clients are configured to use DES only encryption, users will not be able to access protected resources with Kerberos authentication. The error message, An incorrect username and password was specified might be displayed.

Because the initial Kerberos tokens are not present, the browser sends NTLM tokens, which the OAM Server does not recognize; therefore, the user authentication fails.

The workaround is to enable the encryption mechanisms, and follow the procedure mentioned in: